Hi, Hm, I think academia is already involved in this, to some degree (*), although it likely won't dig much deeper. For one thing, there's our own analysis that ran over 1.5 years, presented at IMC 2011. Then, Hubaux's group at EPFL has presented a shorter, but similar analysis at WEIS 2011. EFF+iSec and Ivan Ristic have both given talks at hacker conferences, and their data sets are available. So are ours. We also used EFF data and found the numbers well in line with our other data sets. There are 1 or 2 other works with different foci (e.g. the one about the Debian weak keys deployment, IMC 2009).
And, yes, the problem is there. Is it going to stay? Our view on it is that the "certification structure" is the main problem, i.e. bad and very bad PKI deployment plus a failed concept of overly large root stores in clients. The attack vectors are quite clear and have been discussed quite often. I don't think it's a problem that industry will solve on their own - the monetary incentives are actually quite the opposite of what you'd want (Oh dear, that might be another thread now). Plus, the threat model is quite unclear - is this PKI supposed to protect against Mallory trying to get CC numbers over the WLAN or is it against a state spying on her citizens' Gmail communication? (*) One issue for academia in continuing with this is funding by state or industry. We were actually very lucky we could receive some funding through an EU program, and even then that was very late in the research and paid us less than 2 full-time months. You see, all these PKI problems are well-known, and no-one has come up with sensible solutions in the past decades. I currently know of no funding programs that would focus on analysis and improvement of PKIs. All the money in security seems to be with malware, botnets, firewalls, network resilience and, recently, privacy and possibly censorship (all important, of course). Ralph On 11/11/2011 06:04 PM, Ben Wilson wrote: > Maybe "the Cause" needs to be taken up in academia, if it isn't already. > There are serious problems with the ecosystem and empirical studies and > models for the security infrastructure need further architecting. For > instance, the EFF's Observatory, Phillip's criticism of the CA data, and the > demands from academia and local, regional and national governments for > publicly trusted roots leads me to think that "the problem" - if it is one - > is only going to grow. I think more studies need to be done. -- Dipl.-Inform. Ralph Holz I8: Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
